Risk Assessment (ID.RA)

The cybersecurity risk to the organization, assets, and individuals is understood by the organization

Subcategories

Vulnerabilities in assets are identified, validated, and recorded

Cyber threat intelligence is received from information sharing forums and sources

Internal and external threats to the organization are identified and recorded

Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization

Risk responses are chosen, prioritized, planned, tracked, and communicated

Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

Processes for receiving, analyzing, and responding to vulnerability disclosures are established

The authenticity and integrity of hardware and software are assessed prior to acquisition and use

Critical suppliers are assessed prior to acquisition